CISA Adds Exploited Magento RCE Flaw CVE-2026-45247 to KEV Catalog

The Magento ecosystem has long been a lucrative target for cybercriminals, and the CVE‑2026‑45247 flaw underscores why. By exploiting a deserialization weakness in the Mirasvit Cache Warmer extension, attackers can inject crafted PHP objects via the CacheWarmer cookie, bypassing authentication entirely. The vulnerability’s high CVSS rating reflects its potential to achieve remote code execution with minimal effort, and the observed use of base64‑encoded payloads indicates a mature, automated exploitation chain that leverages existing Magento gadget classes.

Industry impact is immediate. Approximately 6,000 known stores run the vulnerable extension, and the actual footprint is likely larger due to CDN masking. CISA’s decision to list the bug in the KEV catalog elevates its priority, compelling federal agencies to patch within days and prompting private operators to audit cookie traffic for the “CacheWarmer:(Tz|Qz|YT)” signature. The focus on gaming and business sites suggests threat actors are probing high‑value transaction environments, where a successful breach could lead to credential theft, ransomware deployment, or data exfiltration.

The broader lesson for e‑commerce stakeholders is the necessity of rapid vulnerability management and proactive monitoring. Organizations should verify they run version 1.11.12 or later of the Mirasvit extension, implement Web Application Firewall rules to block suspicious serialized payloads, and regularly review server logs for anomalous cookie values. As the threat landscape continues to evolve, integrating threat intelligence feeds—like those from Imperva and Sansec—into security operations can provide early warning of emerging exploits, reducing the window of exposure for critical online storefronts.